[Koha] Is Koha plugin system safe?

Fri Apr 17 13:03:16 NZST 2020

Hi Michal,

I would say that the plugin system (like many plugin systems) is risky. As Jonathan indicates, plugins are not reviewed by the Koha Community, so we can make no guarantees regarding safety/security of individual plugins. Since the plugins are third-party code, they could contain anything. That said, I doubt that you'd find any/many malicious Koha plugins in the wild. You're more likely to find Koha plugins that just have accidental security vulnerabilities. For instance, I have found some that have SQL injection vulnerabilities, which I wouldn't recommend using (although I say that personally and not as a member of the Koha Community - I'm not reviewing any plugins at a community level). 

In terms of safety, you're *probably* more likely to find accidental problems rather than malicious ones, although practically speaking you could encounter either. 

There is a fledgling conversation about adding signature (ie author verification) for plugins (https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632). With this verification, you could set up Koha to only use plugins from a trusted provider (like Prosentient Systems, PTFS Europe, ByWater Solutions, BibLibre, EBSCO, etc.) . 

That wouldn't keep you safe from accidental security vulnerabilities, but it would keep you safe from malicious plugins. 

The trade-off with plugins is that you get new functionality quicker but it's not as rigorously reviewed as the Koha codebase. 

David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St
Ultimo, NSW 2007
Australia

Office: 02 9212 0899
Online: 02 8005 0595

-----Original Message-----
Date: Thu, 16 Apr 2020 03:28:34 -0700 (MST)
From: Michał Dudzik <dudzikmichal at wp.pl>
To: koha at lists.katipo.co.nz
Subject: [Koha] Is Koha plugin system safe?
Message-ID: <1587032914820-0.post at n5.nabble.com>
Content-Type: text/plain; charset=us-ascii

The koha plug-in system enables easy system expansion with an additional non-standard function.
I have received several queries from librarians about the security of the plug-in system.
Personally, I have not observed any problems, so I would like to ask if using the plug-in system is safe?

Regards,
Michal

--
Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html

------------------------------

Message: 2
Date: Thu, 16 Apr 2020 12:54:23 +0200
From: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
To: Michał Dudzik <dudzikmichal at wp.pl>
Cc: koha <koha at lists.katipo.co.nz>
Subject: Re: [Koha] Is Koha plugin system safe?
Message-ID:
	<CAJzKNY6-UxzgUsRHuizsNS5ir9HoqE7couyWh50P+gKUKfNuMA at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Hi Michal,

It depends on the plugin :)
A plugin can do almost everything it wants, so you should only install plugins you really trust.
And you should give the permissions to manage them to librarians you really trust as well.

I should add that plugins are almost never reviewed (by the QA team for instance), so they could potentially contain security issues.

Regards,
Jonathan

Le jeu. 16 avr. 2020 à 12:28, Michał Dudzik <dudzikmichal at wp.pl> a écrit :
>
> The koha plug-in system enables easy system expansion with an 
> additional non-standard function.
> I have received several queries from librarians about the security of 
> the plug-in system.
> Personally, I have not observed any problems, so I would like to ask 
> if using the plug-in system is safe?
>
> Regards,
> Michal
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 484 bytes
Desc: not available
URL: <https://lists.katipo.co.nz/pipermail/koha/attachments/20200417/0748d5ad/attachment.sig>